Reporting data breach under the GDPR

The occurrence of a data breach is always a stressful and negative experience that usually results in reputation damage, as well as direct and indirect costs for the organization that can continue for months, even years.

On top of that, General Data Protection Regulation (GDPR) leaves a limited timeframe for reporting the data breach to the supervisory authority when personally identifiable information (PII) is compromised, and according to the recent “Cost of a Data Breach Report, PII was the most often type of data lost or stolen in breaches (80%).

However, if you prepare and react fast you can at least contain unnecessary costs inflicted by the data breach and avoid non-compliance with the data protection law along with high GDPR fines.

What is a personal data breach

A personal data breach is a security breach that can lead to accidental or deliberate loss, destruction, corruption, unauthorized disclosure, or alteration of personal data that can cause material or non-material damages to natural persons. A data breach can also affect the integrity, availability, and confidentiality of your data.

The consequence of such a breach is that the controller is unable to ensure compliance with the principles relating to the processing of personal data (Article 5).

While all personal data breaches are security incidents, not all security incidents are necessarily personal data breaches!

Differentiating security incident from a personal data breach will help you decide whether you are obligated to report a specific incident to the supervisory authority or not.

How to respond when a personal data breach occurs

When a personal data breach occurs, you will have to assess the severity of potential risks to an individual’s rights and freedoms. If it is likely that there will be a risk then you must notify the supervisory authority. If it is highly unlikely that the breach would affect personal data, then you are not obligated to report it.

How to decide whether you should notify supervisory authority?

We advise to take into account different ways in which the data breach can affect individuals when assessing the impact;

“A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or non-material damage to natural persons such as loss of control over their personal data or limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage to reputation, loss of confidentiality of personal data protected by professional secrecy or any other significant economic or social disadvantage to the natural person concerned.” Recital 85

WP29 EXAMPLE #1

If personal data have been made essentially unintelligible to unauthorized parties (using an encryption key that was not compromised) and where the data are a copy or a backup exists, a confidentiality breach involving properly encrypted personal data may not need to be notified to the supervisory authority. This is because such a breach is unlikely to pose a risk to individuals’ rights and freedoms.

WP29 EXAMPLE #2

Where personal data are already publically available and disclosure of such data does not constitute a likely risk to the individual.

examples for data breach report under the GDPR
Source: WP29 Guidelines on Personal data breach notification under Regulation

When assessing the risk you should take into consideration both the likelihood and severity of the risk to the rights and freedoms of data subjects. Regardless of your assessment and decision, you should document your decision since it will make it easier for you to justify it if necessary.

What should notification include

The notification of a breach to the supervisory authority should:

➡️ Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
➡️ Include the name and contact details of the DPO or any other contact of the person involved in the process, who can be reached regarding additional information;
➡️ Describe the possible effects of the personal data breach;
➡️ Describe the measures you are taking to address the breach.

The GDPR does not define categories of data subjects or personal data records that should be specified in the notification. However, it is advised to define categories of data subjects whose personal data has been affected by a breach, like children, people with disabilities, or employees. The same goes for special categories of data.

If you do not know all information that notification requires, do not let that keep you from reporting a breach. You can always fill in the information, later on. The focus should always be on containing the damages and protecting individuals, numbers are there to help us grasp the magnitude of the breach.

Should you notify individuals about the personal data breach?

You are obligated to inform the individuals about the breach without undue delay if it is likely to result in a high risk to their rights and freedoms. How can you tell if the risk is high? The risk is higher if the effect of the violation is more severe; if the probability of the consequences is greater, then again the risk is higher.

Besides explaining the nature of the personal data breach, you should notify individuals about the name and contact details of your DPO (or other contact points), a description of the possible consequences of the breach, and the description of the measures taken to resolve the occurred situation with the breach.

➡️ Description of the nature of the breach;
➡️ The name and contact details of the data protection officer or other contact points;
➡️Description of the likely consequences of the breach;
➡️ Description of the measures taken or proposed to be taken by the controller to address the breach

One of the reasons individuals need to be aware of the breach is to help them protect themselves from the consequences of the breach.

72-hour timeframe

The GDPR states that if any personal data breach occurs, the controller needs to immediately, and no later than 72 hours after becoming aware of a personal data breach, notify the competent national supervisory authority (or in the case of a cross-border breach, to the lead authority) and, in certain cases, communicate the breach to the individuals whose personal data have been affected by the breach.

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.” (Article 33)

According to the WP29 guidelines, when notifying the supervisory authority, controllers can obtain advice on whether the affected individuals need to be informed.

You can find the list of all data protection authorities that supervise the application of the data protection law and find out how you can report a data breach.

What is the role of the data processors?

The GDPR requires both controllers and processors to have in place appropriate technical and organizational measures to ensure a level of security appropriate to the risk posed to the personal data being processed. The processor is obligated to notify the controller without undue delay after becoming aware of a personal data breach.

If you have a cooperation with data processors, you need to sign a contract between you as a data controller and them as your processor. All the requirements on breach reporting should be put in the contract and described in detail. Data processors must assist data controllers in notifying data breaches or in conducting a Data Protection Impact Assessment (DPIA).

Proper breach procedures require data processors to understand what constitutes a data breach, as well as react according to their responsibilities.

Prepare procedures

If you have an Incident Respons team and IR plan, you can lower the cost of a data breach for as much as $2 million, according to the Cost of a Data Breach Report. That is a great indicator of how preparing and planning can make a huge financial difference to the organization.

Make sure to develop your internal policies and procedures related to dealing with the occurrence of personal data breaches. You can standardize operational procedures for data breaches, and they will help you guide your way during personal data breach incidents.

You should always know what needs to be done before, during, and after the occurrence of the data breach. The standard operating procedure needs to set the risk profile of personal data in each section of the data controller’s system and provide the details necessary to enable the controller to conduct the steps of the risk assessment.